About a year ago I had a conversation with a recently departed senior executive from one of the leading legacy WAF vendors. It was a short call and mostly one where I was explaining Signal Sciences and our progress on reinventing the WAF market but it ended with this seemingly puzzling exchange.
Me: Thank you again for your time! You all have paved the way for the WAF market over the last 10 years. Any advice for some ambitious upstarts as you pass the torch?
Him: (Pausing thoughtfully) Well this may seem basic but I think this is the most important lesson I’ve learned in my position. Don’t ignore customers after you close the deal to just focus on the next new deal.
Me: (Trying to process his message and seeking clarification) You mean make sure existing customers are having success with the product and continue collecting their feedback on how to improve it over time?
Him: Yes that. But I’d say more basic than that to make sure you’re able to see the customer through to install after the deal closes.
Me: Uhh… (Thinking in my head: After many years of leading, considered at the time, one of the best WAF businesses in the world, your advice is to make sure you get your product installed after someone has spent millions of dollars on the purchase?) Ok gotcha.
Me: (Realizing what he was saying and understanding that there wasn’t a great way to follow up without leading to a potentially embarrassing exchange, I tried to politely wrap up the call). Great insight and thank you again for your time!
I’ve reflected on this exchange many times over the past year because it’s helped to explain so much of what I’ve been struggling to understand since we started Signal Sciences over 4 years ago. That is: why does the industry so uniformly dislike WAF technology and why, despite the fact that market penetration of WAFs is high (roughly 50%), do applications continue to be the #1 source of breaches every year (according to the Verizon DBIR)?
It’s because while the “leading” WAFs in this space get purchased, it’s tragically common that they never get installed after the purchase. And then what happens to the security teams who spend millions of dollars on the purchase and literally months of time and favors from the tech operations and dev teams attempting to get the product installed, only to eventually give up and/or have it running off to the side of an app with no protection at all? At best they’re content to say they tried their best with the market-leading technology and chalk it up to being “just how it is.” At worst they’re completely burned on WAF and embarrassed to have wasted so many resources to make almost no progress on securing what they know to be an incredibly vulnerable and evolving part of their technology infrastructure: their software applications.
The Growth of the WAF Marketplace
But let’s take a quick step back. It’s estimated that roughly $2B is spent on WAF technology around the world each year and that market has been growing at a steady and very healthy 20% year over year for the last decade.
Why do companies keep buying a product that isn’t solving the real problems they’re facing?
1) When WAFs were initially invented in the late 1990s web applications were *very* simple (think mostly static marketing websites that only had an input field to collect your email address and no real functionality). In this world, installation was easier and simple signature-based detection methods were effective and manageable for web traffic.
2) Compliance standards like PCI included WAF as a preventive control. So if you wanted to process credit card information then you would likely have to add a WAF to your infrastructure without regard to the technical efficacy of the product (or lack thereof).
WAFs became a staple in security budgets and has continued to be purchased and adopted ever since then.
WAFs Never Evolved
Fast forward 20 years and the SaaS and Mobile revolutions have made it so that web and mobile apps are now massively complex. These apps have not only grown in complexity, but also in scope as they’re depended on to deliver valuable consumer and enterprise services every single day. This broad consumer adoption has made the app drastically more appealing and easier to attack than ever.
And here’s the big problem: WAFs never evolved.
If you look at almost all the commercially available WAFs today, they're built with the same model of installation, detection, and core technology assumptions that they were 20 years ago. The market has grown because compliance required it instead of genuine growth driven by valuable technology innovation.
So we’re seemingly stuck with WAF technology where analysts tell me under bated breath and with understandable disappointment, “there hasn’t been meaningful innovation in the space in years.”
CISOs tell me they buy because “you have to have to buy something” but really only “expect protection from the lowest hanging fruit” all while knowing WAFs can’t get installed in modern architectures.
To make matters worse, engineers have learned to immediately dismiss the idea of WAF and see them as irrelevant and ineffective.
In the most recent DevSecOps Community Survey, WAFs were reported as the 'most critical application security tool,' yet 33% of respondents still reported a breach or suspected breach due to a web application.
Simply put, legacy WAFs are failing modern organizations.
All that said, Signal Sciences founding story wasn’t about setting out to make a better Web Application Firewall. We tried WAFs while building a security team at Etsy in the midst of our engineering teams adopting cloud and DevOps. We ended up believing that the WAFs inefficacy was at least partially unique to us because of the new technology our engineering teams were adopting. So, instead, we gave up on legacy WAFs and started from scratch on the problem of securing and protecting our apps.
In the process, we learned of a new paradigm for app protection. One that put the app owners--spanning engineering, operations and DevOps groups--at the center of application security.
Our solution was built for complex, multi and hybrid cloud architectures, focused on using automation to achieve effective, scalable protection and visibility into both your apps and your attackers. We felt we had discovered a new paradigm for web application defense--one that actually worked in this new era of computing.
Signal Sciences was founded to bring that paradigm to everyone. We started our efforts four years ago and we’re now protecting over 10,000 apps and hundreds of billions of production web requests per week. We can’t be more excited about the future for Signal Sciences and our customers who are finally getting the innovation and protection they’ve deserved for so many years.
But we need your help fellow practitioners, CISOs, and CTOs! We need you to look for something new after so many years of failed promises, just like Carbon Black, Cylance, and Crowdstrike brought something new to the failed promises of Anti-Virus. We need you to believe that security teams and engineering teams can work together to secure your applications. We need you to believe you can get effective protection without having to put up with constant false positives and massive latency.
We need you to DEMAND MORE from your web application firewall (and give something new a try!).